Over the past few weeks, Ivanti has issued warnings about multiple zero-day vulnerabilities in its VPN products exploited by Chinese state-backed hackers since December 2023. The initial disclosure involved two CVEs (CVE-2023-46805 and CVE-2023-21887) allowing a remote attacker to perform authentication bypass and remote command injection exploits.
Since then, Ivanti has released a patch which was immediately bypassed by two additional flaws (CVE-2024-21888 and CVE-2024-21893) that allows an attacker to perform privilege escalation and server-side request forgery exploits.
Due to the severity of this vulnerabilities, the CISA has since released an initial advisory as well as an emergency directive (ED-24-01) setting the timeline for mitigating the vulnerabilities. The directive states that Federal Agencies must now disconnect all instances of Ivanti Connect Secure and Ivanti Policy Secure solution products from agency network, however, any organisations utilising these products should be extremely cautious.
Possible Execution (via the Zscaler ThreatLabz Team):
Initial Exploitation: The attackers performed mass scanning for vulnerable devices and potential automated exploitation.
Persistence: The attackers deployed different variations of web shells on the targeted devices after successful exploitation. After gaining an initial foothold, the attacker can steal configuration data, modify existing files, download remote files, and reverse tunnel from the devices. In addition, the attackers backdoored configuration files and deployed additional tools.
Reconnaissance: The attackers performed reconnaissance of the internal systems and applications through proxied connections
Credential Stealing: The attackers injected a custom JavaScript-based malware, called WARPWIRE, into a login page used by the users to capture and exfiltrate plaintext credentials.
Lateral Movement: The attackers used lateral movement using compromised credentials to connect to internal systems via RDP, SMB, and SSH.
Evidence Wiping: The attackers were observed wiping logs and even restoring the system to a clean state after deploying their payloads.
Evasion (Patch and Detection): In some instances, the attackers modified the integrity checker tool (ICT) to disable and prevent it from flagging any modifications or additions on the system as a measure to evade detection. Even The ZIPLINE tool used by the attackers is capable of bypassing ICT detection by adding itself to exclusion list used by the ICT tool. Moreover, as the attacks were discovered and publicized, the attackers quickly adapted by modifying the tools to evade detection. As a result, new variants of the initial-attack are being observed in more recent attacks.
How we can help:
In order help protect our customers and enable them to act swiftly, we are offering free 60-day Zscaler Private Access with onboarding professional services to help become as secure as possible.
Moving to a zero trust solution can help protect your business from zero-day threats, such as these Ivanti vulnerabilities and other VPN solutions. It does this by removing all remote access entry points. True Zero Trust means no exposed devices or IP addresses to attack, because authorisation happens before an inside out connection is ever made.
Get in touch with us below to ask questions or sign up for free 60-days Zscaler Private Access.
Comments